Skip to content

Commit 45a00d6

Browse files
kevinbackhousekevinbackhouse
committed
Add build provenance attestation
1 parent 92cfaf2 commit 45a00d6

2 files changed

Lines changed: 12 additions & 14 deletions

File tree

.github/workflows/publish-to-pypi.yaml

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ jobs:
2121
permissions:
2222
contents: write
2323
id-token: write # For trusted publishing
24+
attestations: write # For artifact attestation
2425

2526
steps:
2627
- name: Checkout repository
@@ -39,6 +40,11 @@ jobs:
3940
- name: Build the wheel
4041
run: python3 -m hatch build
4142

43+
- name: Attest build provenance
44+
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
45+
with:
46+
subject-path: ./dist/*
47+
4248
- name: Upload artifacts
4349
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
4450
with:
@@ -50,13 +56,6 @@ jobs:
5056
with:
5157
verbose: true
5258

53-
- name: Sign with sigstore
54-
uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
55-
with:
56-
inputs: >-
57-
./dist/*.tar.gz
58-
./dist/*.whl
59-
6059
- name: Create GitHub Release
6160
env:
6261
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-to-testpypi.yaml

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ jobs:
1818
permissions:
1919
contents: write
2020
id-token: write # For trusted publishing
21+
attestations: write # For artifact attestation
2122

2223
steps:
2324
- name: Checkout repository
@@ -51,6 +52,11 @@ jobs:
5152
- name: Build the wheel
5253
run: python3 -m hatch build
5354

55+
- name: Attest build provenance
56+
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
57+
with:
58+
subject-path: ./dist/*
59+
5460
- name: Upload artifacts
5561
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
5662
with:
@@ -63,13 +69,6 @@ jobs:
6369
repository-url: https://test.pypi.org/legacy/
6470
verbose: true
6571

66-
- name: Sign with sigstore
67-
uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
68-
with:
69-
inputs: >-
70-
./dist/*.tar.gz
71-
./dist/*.whl
72-
7372
- name: Create GitHub Release
7473
env:
7574
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)